Find out if your router is listening on backdoor port 32764

Some days ago it became public knowledge that some routers, that's devices used for establishing Internet connections among other things, are listening on the undocumented port 32764.

First, it was only discovered in one device, the Linksys WAG200G, but it was soon discovered that many routers were also listening on that port. Among the devices are the Cisco WAP4410N-E, the Netgear DGN2000, the OpenWAG200, or the LevelOne WBR3460B.

The list on the Github website is large, and it is likely that here are other routers affected not listed there yet. It seems to be predominantly Cisco, Linksys and Netgear which listen on the port, even though not all routers by the mentioned companies are affected by it. The Linksys WRT160Nv2 for example is not listening.

It is currently not known why the routers are listening on that port. Many have suggested that this is yet another way for the NSA to spy on people around the world, and while that is a possibility, it is not the only one.

Find out if your router is listening on port 32764

If your router is not on the positive or negative list, you may want to find out if it is listening on port 32764, and if it is, stop the process to protect your systems.

There are several options to find that out. Here are several ones:

Load http://yourRouterIP:32764/ in your web browser of choice. If affected, you should see ScMM or MMcS on the screen. I cannot confirm that this works for all set ups though. You can check your IP address here.

Run the Python script poc.py on your system. You do need Python installed on it for that to work though. Run the script in the following way: python poc.py --ip yourRouterIP.For instance python poc.py --ip 192.168.1.1

If telnet is running, you can also use the command telnet yourRouterIP 32764 to find out if the router is vulnerable. You see ScMM or MMcS in that case on the command prompt.

If your router is listening on port 32764, you may want to block this from happening. You have quite a few possibilities to cope with the situation and secure your system.

Add a rule to the router's firewall to block the port 32764. How that is done depends on the model you are using. Usually, it involves loading the router's web interface on its local address, e.g. http://192.168.1.1/, typing in the password (on the back of the router usually if default), and finding the firewall or network options there.

Install an Open Source firmware like Tomato or OpenWRT. Note that some have been reported to be vulnerable as well, so make sure you test again after you install.

Get a router that is not affected by the vulnerability.

Testing

Once you have made changes, it is highly recommended to test for the vulnerability again to make sure that you have successfully blocked the port on your system.

Please share this article

About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand.
You can follow Martin on Facebook, Twitter or Google+

Responses to Find out if your router is listening on backdoor port 32764

TP-LINK users may want to try this:
"If you want to know whether your router is affected by this
vulnerability, you can find it out by performing the following steps:
1. Open a browser and log in to your router
2. Navigate to the DHCP settings and note the DNS servers (it may be
0.0.0.0, which means that it uses the DNS server from your router's
upstream internet connection)
3. Open a new browser tab and visit the following URL (you may have to
adjust the IP addresses if your router isn't using 192.168.1.1):

If your router is vulnerable, this changes the DNS servers to 8.8.4.4
and 8.8.8.8 (the two IP addresses from Google Public DNS). Please note
that the request also reverts the DHCP IP range and lease time to the
default value.
4. Go back to the first tab and reload the DHCP settings in the router
web interface
5. If you see the servers 8.8.4.4 and 8.8.8.8 for primary and secondary
DNS, your router is vulnerable.
6. Revert the DNS settings to the previous settings from step 2
7. If your router is vulnerable, you may also upgrade it to the latest
firmware and check whether it is still vulnerable."
src: http://cxsecurity.com/issue/WLB-2013100223
or this :
192.168.0.1/userRpmNatDebugRpm26525557/linux_cmdline.html
src: http://www.websec.ca/advisories/view/root-shell-tplink-wdr740

I am wondering whether setting a firewall rule in the router really helps blocking port 32764, if Sercomm has decided to cooperate with security agencies for data monitoring?
The situation could be more tricky for corporate and institute networks in which users cannot get control over the routers but only IT departments who are not always that responsive.
Sercomm is a Taiwan chip manufacturer, does that suggest any possible explanation for this port listening? Just think about this: linksys , cisco, netgear routers are everywhere in mainland China, and security agents can just drop in to these devices using this "secret port".

I remember years ago opening this port for one of my media apps. I'm thinking it was something like MythTV or Snapstream. The software used this one to stream media.
I'm definitely sure I used 32764 for something of the sort back in the day. Heck, it could have even been for torrents or kazaa/bearshare/etc.

Dont heed anything this guy is saying. Putting your host in the dmz is hanging your ass out in the breeze. Betting that port scan info is getting trapped by the server as well. Really, really bad advice

Topics

Advertisement

About Ghacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.